This topic contains 24 replies, has 0 voices, and was last updated by 
-
Posts
-
Hello all,
Right now I am sitting in a test environment. I have the WAN port on the ZS server statically assigned. We have a direct allocation from ARIN (American Registry for Internet Numbers), it’s a /22 and it’s our VLAN74.
Right now VLAN20, 30 and 70 are private VLANs and are NAT’d. I used the following IPtables to NAT them.
iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADEVLAN74 should not be NAT’d, and from the above IP tables that should correct. However, when I put myself on VLAN74 I can gain access to the outside world. In the test environment that I am in right now, there is no route set up for this VLAN, so if this VLAN isn’t being NAT’d, I should not be able to get to the outside world. Once this server is taken from our test lab and put into a production scenario, there will be routing on VLAN74 and outside access will be acheived.
But as it stands in the test environment that I am in, VLAN74 should not be able to get to get outside. This leads me to believe VLAN74 is also being NAT’d.
Is there a way to check this out on the server? From what I am seeing we are not doing anything that would make the server want to NAT’d vlan74.
Thoughts?
1) Make sure eth1 is the wan interface.
2) Print here the output ofiptables -t nat -L -v
@ppalias wrote:
1) Make sure eth1 is the wan interface.
2) Print here the output ofiptables -t nat -L -v
Does Eth1 have to be the WAN port? Can it be Eth0?
It can be ETH00. I actually use ETH00 as the WAN and ETH01 as LAN.
You just have to be careful as 99% of the examples shown here are the opposite, so you’ll have to remember that…
Regads,
I’ll run the above command from the server when I get back to the office on Monday.
Thanks all,
Alright, here is the output from the iptables -t nat -L -v command.
root@fw root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 9173 packets, 1528K bytes)
pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 40 packets, 3240 bytes)
pkts bytes target prot opt in out source destination
4134 311K SNATVS all — any any anywhere anywhere
4098 308K MASQUERADE all — any ETH00 anywhere anywhereChain OUTPUT (policy ACCEPT 3949 packets, 300K bytes)
pkts bytes target prot opt in out source destinationChain SNATVS (1 references)
pkts bytes target prot opt in out source destination*****Edit*****
Here are our pre-boot iptable commands. Just so you have them also. The below commands should not include vlan74 to be NAT’d correct?iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADEThere is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.
@ppalias wrote:
There is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.
I guess I am confused on how to make ZS view my ETH00 as the wan port, and make ETH01, ETH01.20, ETH01.30 and ETH01.70 NAT’d behind ETH00, and how to make ETH01.74 and ETH01.90 not NAT’d……
How should my Router>NAT page look like? I have had ETH00 in the “NAT Enabled Interfaces”, that’s when everything appears to be NAT’d and I have had ETH01, ETH01.20, ETH01.30 and ETH01.70 in there leaving ETH00 out….
Not sure what I am doing wrong.
First of all which one is the WAN interface…
Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.
iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE
@ppalias wrote:
Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.
iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE
Ok. So I have tried this several ways.
Way 1:
Eth01, eth01.20, eth01.30 and eth01.70 in the NAT Enabled Interfaces with the following IP TAbles.iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADEThe iptables -t nat -L -v result is:
root@fw root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 22 packets, 2606 bytes)
pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 38 packets, 2966 bytes)
pkts bytes target prot opt in out source destination
37 3430 SNATVS all — any any anywhere anywhere
3 704 MASQUERADE all — any ETH01 anywhere anywhere
0 0 MASQUERADE all — any ETH01.20 anywhere anywhere
0 0 MASQUERADE all — any ETH01.30 anywhere anywhere
0 0 MASQUERADE all — any ETH01.70 anywhere anywhereChain OUTPUT (policy ACCEPT 41 packets, 3670 bytes)
pkts bytes target prot opt in out source destinationChain SNATVS (1 references)
pkts bytes target prot opt in out source destinationI also tried it with no interfaces in the Nat Enabled Interface using the following IP Tables:
iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADEThe output iptables -t nat -L -v result
root@fw root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 194 packets, 16902 bytes)
pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 243 packets, 18350 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — any eth1.70 152.93.0.0/16 anywhere
0 0 MASQUERADE all — any eth1.30 192.168.1.0/24 anywhere
0 0 MASQUERADE all — any eth1.20 172.30.0.0/16 anywhere
0 0 MASQUERADE all — any ETH00 172.30.0.0/16 anywhere
0 0 MASQUERADE all — any ETH00 192.168.1.0/24 anywhere
0 0 MASQUERADE all — any ETH00 152.93.0.0/16 anywhere
239 18110 SNATVS all — any any anywhere anywhereChain OUTPUT (policy ACCEPT 70 packets, 5525 bytes)
pkts bytes target prot opt in out source destinationChain SNATVS (1 references)
pkts bytes target prot opt in out source destinationeitherway, it appears as though it’s not NAT’ing anything. I can’t get out from behind interfaces eth01.20, 30, or 70 that are supposed to be NAT’d.
Thoughts?
There seems to be something wrong with the interfaces you are using, as the iptables command is correct.
-t nat = apply this command in “nat” table.
-I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
–src x.x.x.x/yy = the source IP is x.x.x.x/yy
-o ETH00 = the output interface is “ETH00”
-j MASQUERADE = masquerade the source IP with the IP of the interface ETH00@ppalias wrote:
There seems to be something wrong with the interfaces you are using, as the iptables command is correct.
-t nat = apply this command in “nat” table.
-I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
–src x.x.x.x/yy = the source IP is x.x.x.x/yy
-o ETH00 = the output interface is “ETH00”
-j MASQUERADE = masquerade the source IP with the IP of the interface ETH00How so? What would be wrong with the interfaces?
I am stumped…..We use this same config (minus the WAN IP) on a production router that we have, and all works well.
Anyway you would be willing to take a peek at our config file?
You must be logged in to reply to this topic.